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Token-based personalization of smart appliances 



FIELD OF THE INVENTION 

The invention relates to appliances whose user interfaces can be made less 
complicated through the use of personal preference, or profile, data. More particularly, the 
invention relates to the use of a physical token or tag that indicates the identity of the user 
5 and mechanisms by which profile data may be obtained from a store accessible via a 
network. 

BACKGROUND OF THE INVENTION 

Many modem appliances such as televisions, telephones, computers, etc. are 
10 capable of providing such a large array of options that a demand exists for devices that allow 
them to be personalized to make them easier to use. An example is set top boxes that provide 
personalized electronic program guides (EPGs). These can be personalized either actively, 
by specifying rules for selecting or filtering out programming; or passively, by allowing the 
set top box to extract rules from use over an extended period of time. Another very simple 
1 5 example of a personalized appliance is a telephone speed dial directory. Still another 

example of a personalized appliance is a desktop computer, whose applications usually allow 
a large variety of personal settings to be established to customize the working environment. 

A first drawback with many such appliances is the lack of an ability to store 
multiple profiles in an appliance. In addition, if a new appliance is purchased, rented, or used 
20 (such as during a visit to another’s residence) the personal data generated by one appliance is 
not available for use with another appliance. 

A second drawback with the above personalization approach is the fact that 
each of multiple users of a single appliance may employ divergent criteria for selecting 
features. These may conflict as when personalizing a user interface of a computer. 

25 Alternatively they may expand the option space so much that the benefits of personalization 
are diminished as when each member of a family make personalization contributions to a 
television EPG or a speed dial list. In the example of an EPG, one family member’s selection 
of documentaries, another’s selection of sitcoms, and another’s selection of sports contributes 
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to the expansion of the selection space to something that is nearly as impersonal as an 
unpersonalized EPG. 

One attempt to overcome the first of the foregoing difficulties in the particular 
environment of an Internet terminal is the use of smart cards to store the personal 
5 identification data. An example of such a solution is described in US Patent No. 5,983,273. 
The above patent describes a system in which a smart card containing a unique network 
address is inserted in a set top box. Information on the smart card is transmitted to an 
Internet server and in response the server downloads to the set top box information particular 
to the user to configure the set top box. The interaction between the card, terminal (set top 
1 0 box) and server may provide for authentication. The information delivered by the server 
includes filtering information for viewing web sites, access privilege data in the form of a 
ticket, and favorites lists. The ticket is used to invoke permissions at web sites and provide 
for at least one customized response. The specification describes sending the user’s email, 
favorite links, titles in a URL, and thumbnails in response to the ticket. 

15 Another patent DE 197 13 271 briefly describes a client-server system in 

which a transponder is used to classify a user and the services delivered to the client 
customized based on information specific to the user or user-class. This can address the 
second of the drawbacks be causing the appliance to switch to a different personalization 
depending on the user. 

20 Another patent GB 2 325 537 addresses the second of the drawbacks in the 

area of EPG applications. In this application, each user in a group, such as a family, 
identifies himself/herself as a current user. Separate profiles are developed by each user. 
Then, when multiple users watch the television together, their profiles are, selectively, either 
logically ANDed or logically ORed to produce a new profile that is then used to filter the 
25 EPG. 

The prior art techniques solve some of the difficulties of adapting appliances, 
but there is a need to make it easier for a user to personalize an appliance and to transfer 
information about preferences from one appliance to another. In addition, there is a need to 
make it easier and more convenient to combine the profiles of multiple users. Furthermore, 
30 the mechanisms for providing such convenience must be such that manufacturers can provide 
them without having to support complex service infrastructures such as required by the smart 
card system described in US Patent No. 5,983,273. 
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SUMMARY OF THE INVENTION 

Briefly, a radio frequency identification (RFID) token is used with appliances 
to access profile data to personalize the appliance. Each token contains a pointer to a relay 
location on a network with a further pointer indicating a profile location where user-profile 
5 data is stored. When a user wants to use an appliance, he/she places the token near the 

appliance and the appliance accesses the data from the site indicated (pointed to) by the relay 
location. The profile location may contain many different types of data such as speed dial 
lists, media preferences, preferred product classifications, etc. The appliance could obtain 
just the information it required, for example if the database were XML-tagged, by filtering 
1 0 out irrelevant content and personalize itself accordingly. When multiple users wish to use a 
single appliance, for example a television, each may place his/her token near the appliance 
and the appliance may then combine relevant profile data accordingly to develop a single 
composite profile to use to personalize the appliance. 

A component of the invention is an RFID tag or token or any suitable device 
1 5 capable of storing identification, authorization, and/or authentication data. Each RFID device 
contains a unique Internet uniform resource locator {URL} called the relay location. The 
relay location URL stores a profile URL that is owned and maintained by and/or for the user. 
A manufacturer of the device could supply them with new set top boxes, telephones, 
televisions, computers, or other appliances. The user may maintain his/her personal data at a 
20 location - a profile server - that is independent of the relay location, which corresponds to the 
token only. 

The token or device may simply be placed near the smart appliance while the 
user is using it. The device may be required to be placed close to the appliance or it could be 
permitted to work in a field that is a substantial radius, say several meters, as in a Bluetooth® 
25 network. If the device is used in a physical setup where a user may leave the vicinity of the 
appliance for a period of time and then return and it would be disruptive to have the profile 
removed dining that interval, the appliance could provide a persistence period option. Thus, 
the user could indicate the length of the maximum interval after which the non-presence of 
the device should indicate that he/she is no longer a current user. This could be.useful in 
30 situations where many people are simultaneously using an appliance. For example, when one 
member of the family gets up to make some popcorn, it would be undesirable for that user’s 
profile data to be removed from the pool. To prevent transient occupants from being added 
to the user group, the detection of a token would not cause the addition of a user to a group 
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unless confirmed or authenticated. Thus, the appliance could request confirmation that a new 
occupant confirm that he/she should be added to the user group. 

Alternatively, the devices could be required to be placed right near the 
appliance. In this scenario, each user would leave his token or device on top of or near the 
5 appliance while he/she is expected to remain an active member of a group of users. This 
would have the advantage of preventing inadvertent addition of transient occupants of the 
room being added to the user group. 

When the token establishes a link with a smart appliance, it conveys the relay 
URL and an identifier of the token. The smart appliance accesses the relay URL, which 
1 0 responds by transmitting the profile URL. The smart appliance then attempts to link with the 
profile URL. For security, the token may provide data identifying the token as well as the 
relay location URL and the smart appliance may be required to transmit this identifier to be 
authorized to link with the profile location. With this authorization requirement, if a user lost 
his/her RFID device, he/she could indicate the loss of the device to the profile destination. 

15 Subsequent attempts to use the device could then be unauthorized. Thus, another user 

attempting to access the first user’s data would fail the authorization and be unable to access 
the profile data. Alternatively, authorization could be handled through the relay location 
server. In this case, the lost device or token could be reported to the supervisor of the relay 
server, which could then no longer transmit the profile URL in response to service requests 
20 from the lost device. Alternatively, the relay URL could simply be discontinued for all time 
or reused by coupling it to a new secondary authentication tag. The latter” may be 
implemented by having the relay server require an authentication code from the device before 
returning the profile URL. Still another alternative is to provide security at both the relay 
server and the profile server. 

25 Returning to the use scenario, assuming a link has been established between 

the smart appliance and the profile server, the user(s) may be prompted to enter a PIN 
number or some other authentication device to allow the profile to be used. The user may 
enter the authentication information on the appliance or via the RFID device itself. Thus, the 
tag could be provided with a small user interface allowing input and display of data. 

30 The appliance could continuously poll its vicinity to determine the constitution 

of the current group of users. If the group has changed, the appliance may take appropriate 
action. The token may be a radio terminal, a transponder, an RFID tag, or any other kind of 
device that is able to transmit data wirelessly. If the device has its own power source, the 
appliance would not have to poll for new devices. 
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As the constitution of a user group changes, the appliance may provide 
information about the combined profile so that the group can make adjustments or reconcile 
conflicts. Profiles will inevitably contain imperfect information and methods for reconciling 
them may always be limited to some extent. Thus, for example, the non-presence of sitcoms 
5 in one user’s profile could indicate indifference or antipathy. The mechanism for reconciling 
may be limited to simple logical operations such as union or intersection of sets of rules. 
Presenting feedback on the combined profile and how it was created could allow the users to 
create a more intelligent reconciliation. A user interface to support such an interactive 
reconciliation may display all the categories of favored material from the various profiles and 
1 0 allow the user(s) to select from among them. For example, in the above case where a user 
profile did not contain sitcoms, the group might select that category if the one user was 
indifferent or might deselect them if the user strongly disfavored that category of material. 

If a user leaves a group and his/her profile is withdrawn, the appliance may be 
programmed to determine whether the combined-profile space has changed sufficiently as to 
1 5 suggest a change to the current group. For example, suppose the only person that disfavors 
sports leaves the group leaving only sports-lovers behind. The current compromise of 
sitcoms resulting from an intersection of the profiles of the earlier group could be drastically 
altered generating much stronger matches with the now-current group preferences. So in this 
case, the appliance (e.g., television) would suggest new programming for the group to 
20 consider. 

Combining profiles need not be a constant homogenized solution space. It is 
possible for a single group, which is planning to watch TV for a period of, say two hours, to 
compromise in a time-dependent way that maximizes the value for all members. Suppose the 
combination of profiles suggests highly preferred programming for one member or subgroup 
25 during the first hour and highly valued programming for another member or subgroup during 
the second hour. If the appliance knew the time during which the group would use the 
appliance together, it could make use of that information to allow selections to be made that 
would segregate the high value selections in time. The result would be that one member 
would get to see his/her most preferred programming during a first interval while another 
30 would get to see his/her most preferred programming during a second interval. 

When a consumer buys an appliance, multiple RFID devices may be shipped 
with it. Alternatively, a single device may be shipped with a new appliance and further 
devices purchased when and if required. If the devices are to be used with multiple types of 
appliances or even multiple appliances made by multiple manufacturers, there may be a 
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communications protocol standard that all would adopt. Alternatively, different protocols 
may be used by different manufacturers and each appliance built to recognize and interact 
with the devices of other manufacturers. If multiple devices are shipped with a product, to 
prevent wasted resources in the relay server, a user is required to register his/her device. The 
5 user logs onto the relay server, authorizes him/herself as a valid user, and enters the profile 
URL. The user can always change or update this URL, but the resources required for each 
user is very small so that many users can be serviced with a very small storage space. Also, 
to mi nimiz e contact with the relay server, appliances can be programmed to persist the 
profile data or the URL data for a period of time before the data is expired. Preferably this 
1 0 data is never revealed unless via a secure interface, so storage on the appliance should not 
present a privacy problem. 

The invention contemplates a private profile database. According to one 
feature of the invention, each appliance may contribute information to this database. The 
prior art contains various descriptions of systems that adapt to user preferences by observing 
1 5 user-interaction with the appliance. For example, by observing a user’s programming 

choices over time, an EPG set top box can derive rules and use these to personalize the EPG 
in the future. This profile data may be uploaded by the appliance to the user’s personal 
profile server. Preferably, the data format would be standardized across multiple classes of 
appliances, but this is not essential. For example, the data could be XML-tagged and stored 
20 ad hoc, allowing various devices to make sense of it through the tagging. 

As described above, the invention provides, among other things, the ability to 
“move” profile or preference data among various appliances. It also provides the ability to 
associate the profile or preference data with a physical object rather than something that must 
be memorized, like a URL. It further provides a simple, fast, convenient mechanism for 
25 identifying a user without requiring data entry through a user interface. It still further 

provides the ability for an ad hoc group to be defined and indicated to an appliance and have 
multiple user profiles merged thereby. Still further, it provides the ability for a manufacturer 
to provide a key to the supporting service infrastructure without requiring the manufacturer to 
support the bulk of the necessary data. The latter feature has the advantage of permitting 
30 devices for making the user’s data more secure and private. 

The invention will be described in connection with certain preferred 
embodiments, with reference to the following illustrative figures so that it may be more fully 
understood. With reference to the figures, it is stressed that the particulars shown are by way 
of example and for purposes of illustrative discussion of the preferred embodiments of the 
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present invention only, and are presented in the cause of providing what is believed to be the 
most useful and readily understood description of the principles and conceptual aspects of the 
invention. In this regard, no attempt is made to show structural details of the invention in 
more detail than is necessary for a fundamental understanding of the invention, the 
5 description taken with the drawings making apparent to those skilled in the art how the 
several forms of the invention may be embodied in practice. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic illustration of a system in which in the invention may be 
10 advantageously applied. 

Fig. 2A is an illustration of a television with a set top box generating an 
electronic program guide in which the invention may be used. 

Fig. 2B is an illustration of an RFID token according to an embodiment of the 

invention. 

15 Fig. 3 is an illustration of a set of connections used by an appliance to obtain 

profile data according to an embodiment of the invention. 

Fig. 4 is a flow chart indicating a procedure for obtaining profile data 
according to an embodiment of the invention. 

Fig. 5 is a flow chart indicating a procedure for adding a new user to a group 
20 of users according to an embodiment of the invention. 

Fig. 6 is a flow chart indicating a procedure for removing a user from a group 
of users according to an embodiment of the invention. 

Fig. 7 is a flow chart indicating another procedure for adding a new user to a 
group of users according to an embodiment of the invention. 

25 Fig. 8 is a flow chart indicating another procedure for removing a user from a 

group of users according to an embodiment of the invention. 

Fig. 9 is a flow chart indicating one type of secure procedure for accessing a 
user profile according to an embodiment of the invention. 

Fig. 10 is a flow chart indicating another type of secure procedure for 
30 accessing a user profile according to an embodiment of the invention. 

Fig. 1 1 is a flow chart indicating a procedure for providing new options to a 
group of users whose profile mix has changed. 

Fig. 12 is a flow chart illustrating a user interface for allowing a group to 
optimize a mix of profile data. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

Referring to Fig. 1, the invention will be described in the environment of an 
electronic program guide (EPG) for a home television system. In an embodiment, a 
5 computer (or "set-top box") 240 displays program information on a television or monitor 230. 
The computer 240 may be equipped to receive a video signal 260 and control a channel- 
changing function as well as accept search queries through user input devices such as a 
keyboard 21 1 or handheld remote control 210. The EPG can be browsed based on simple 
criteria such as a default filter (such as current time of day) as well as queried using a search 
10 engine process. The computer 240 may also be programmed to allow a user to select 
channels through a tuner (not shown) inside the computer 240 rather than through a 
television’s tuner (not shown). The user can then select a program to be viewed by 
highlighting a desired selection from a displayed program schedule using a remote control 
210 to control the computer. The computer 240 has a data link 260 through which it can 
15 receive updated program schedule data. This could be a telephone line connectable to an 
Internet service provider or some other suitable data connection. The computer 240 has a 
mass storage device 235, for example a hard disk, to store program schedule information, 
program applications and upgrades, and other information. Information about the user’s 
preferences and other data can be uploaded into the computer 240 via removable media such 
20 as a memory card or disk 220. Alternatively, information may be obtained from a 
transponder such as an RFID token or device 100. 

EPG data may include titles and various descriptive information such as a 
narrative summary, various keywords categorizing the content, etc. These may be searchable 
as full text through a suitable user interface (UI). Referring now also to Fig. 2, the program 
25 information can be shown to the user and browsed by the user. The attendant display may be 
in the form of a time-grid 170 similar to the format commonly used for existing cable 
television channel guides. In the time-grid display 170, various programs are shown such as 
indicated by the bar at 130. The length of each bar indicates a respective program’s duration 
and the start and end points of each bar indicate the start and end times, respectively, of each 
30 respective program. A description window may be provided to show detailed information 
about a currently selected program. 

Content may be supplied from Internet servers 276 a satellite receiver 103 via 
any type of network 274 including radio, cable, optical, twisted pair or other metallic wiring. 

The content can be delivered as digital or analog signals. 
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Note that many substitutions are possible in the above example hardware 
environment and all can be used in connection with the invention. The mass storage can be 
replaced by volatile memory or non-volatile memory. The data can be stored locally or 
remotely. In fact, the entire computer 240 could be replaced with a server operating offsite 
5 through a link. Rather than using a remote control to send commands to the computer 240 
through an infrared port 21 5, the controller could send commands through a data channel 260 
which could be separate from, or the same as, the physical channel carrying the video. The 
video or other content can be carried by a cable, RF, or any other broadband physical channel 
or obtained from a mass storage or removable storage medium. It could be carried by a 
1 0 switched physical channel such as a phone line or a virtually switched channel such as ATM 
or other network suitable for synchronous data communication. Content could be 
asynchronous and tolerant of dropouts so that present-day IP networks could be used. 

Further, the content of the line through which programming content is received could be 
audio, chat conversation data, web sites, or any other kind of content for which a variety of 
1 5 selections are possible. The program guide data can be received through channels other than 
the separate data link 260. For example, program guide information can be received through 
the same physical channel as the video or other content. It could even be provided through 
removable data storage media such as memory card or disk 220. The remote control 210 can 
be replaced by a keyboard, voice command interface, 3D-mouse, joystick, or any other 
20 suitable input device. Selections can be made by moving a highlighting indicator, identifying 
a selection symbolically (e.g., by a name or number), or making selections in batch form 
through a data transmission or via removable media. 

Referring now to Figs. 2A, 2B, 3, and 4, the RFID token 100 has a non- 
volatile internal memory 502 for storing data and a transmitter 501. The token 100 has been 
25 placed near the appliance 240 which, as in Fig. 1 , may be a set top box or any other appliance 
indicated as a general appliance 340 in Fig. 3. This permits the appliance 340 and the RFID 
to establish a communications link momentarily such as to allow the RFID token 1 00 to 
transmit its relay URL information, and optionally, authentication data to the appliance 340. 
This occurs in step S10 of Fig. 4. Then, in step SI 5 the appliance 340 accesses the relay 
30 URL in a message that contains, optionally, information identifying the particular token 
and/or authentication information to authorize the relay server 310 to provide the profile 
URL data. In step S20, the relay server 310 may authenticate the request and then look up 
and transmit, back to the appliance 340, the location of the profile data. In step S25, the 
appliance 340 generates a request to the profile server 305 which may optionally contain 
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authentication/authorization data. Finally, in step 30, the profile data is returned. Note that 
profile data may be obtained in a multistep process whereby the appliance interrogates the 
profile database to determine the data that is available or alternatively, the appliance 340 may 
indicate to the profile server 305 the type of data required or the nature of the appliance, and 
5 the profile server 305 will transmit the relevant data. Another alternative is for the profile 
server 305 to package the data in a format requested by the appliance. 

The servers, represented generally by the box at 630 may be standard network 
devices having a network interface 620, a memory 640, and a controller 610. 

Note that instead of URLs, the location data can be provided in the form of IP 
10 addresses or any other suitable addressing mechanism permitting the location of data or 

processes on a network. The profile location may contain many different types of data such 
as speed dial lists, media preferences, preferred product classifications, etc. Note that the 
appliance 340 could obtain all the information in the profile database or just the information 
it requires. For example if the database were XML-tagged, the appliance 340 could filter out 
1 5 irrelevant content and personalize itself accordingly. Note also that features of the invention 
may be implemented using smart cards or other physical media, transponders, 
communications devices, etc. For example, the relay URL could be contained in a Bluetooth 
compatible cell phone, PDA, or even a piece of flash media or a disk. Preferably, however, it 
is desirable for the device to be cheap and capable of being transported everywhere. 

20 An alternative implementation of the RFID is to have the RFID data installed 

in multiple devices, one of which is likely to be at hand at any time. So when wireless 
piconets become a commonplace and people carry multiple interoperable wireless devices, 
the ID information on the RFID token could be stored in each device owned by a particular 
. user. Thus it would not be necessary for the user to carry around a particular token. In that 
25 case, the manufacturer of an appliance or a third party could simply provide the relay URL 
data and the relay server to customers or as a fee service. 

The RFID token may be shipped with a new appliance and/or sold separately. 
Examples of appliances are telephones, televisions, computers, kitchen appliances, PDAs, 
movie boxes in hotel rooms, VCRs, or any device that can be customized. Appliances need 
30 not be owned by the user. For example a hotel or shopping mall video kiosk could make use 
of the token for self-customization allowing it to provide relevant advice to a traveler or 
shopper. Workers changing workstations could have the software of their workstations set 
themselves up according to the worker’s preferences no matter where the worker moved in an 
office. The customizable features may consist of the location of icons on a desktop, the 
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resolution of a screen, the settings of application software such as toolbars, background 
colors or any other persistent reset-able feature. Preference information may also cross 
boundaries so that a shopping mall kiosk could recommend fashion venues or restaurants 
based on television or movie preferences. 

5 The token or device may simply be placed near the smart appliance while the 

user is using it. The device may be required to be placed close to the appliance or it could be 
permitted to work in a field that is a substantial radius, say several meters, as in a Bluetooth® 
network. One advantage that derives from a close-proximity requirement is that it allows 
users to enter and leave a user group by simply placing and removing the user’s token. If the 
10 device is used in a physical setup where a user may leave the vicinity of the appliance for a 
period of time and then return and it might be disruptive to have the profile removed during 
that interval. 

One way to get around the problem of leaving a the contact range of the 
appliance without leaving the group in a system using a large-radius RFID device is to 
1 5 provide in the programming of the appliance, a persistence period. When a user enters a 

group, the user’s profile data is not added to the groups until he/she as remained in the group 
for a minimum period of time. After that initial interval, the user’s presence is “persisted” 
(made permanent up to an interval) so that if the user leaves the room momentarily, his/her 
membership in the group is not lost. Also, to prevent transient occupants from being added 
20 to the user group, the detection of a token would not cause the addition of a user to a group 
unless confirmed or authenticated. Thus, the appliance could request confirmation that a new 
occupant confirm that he/she should be added to the user group. 

Referring to Fig. 5, when, in event S40, a User A’s RFID links with an 
appliance in use by User’s B and C, in step S50, the appliance starts a watchdog timer. In 
25 step S 1 00, if User A actively enters the group, perhaps by clicking an icon on a television 
screen indicating that a new user is pending acceptance into the group, User A is added in 
step S65. Otherwise, in step S55 the link is tested to determine if User A remains linked. If 
User A has de-linked, he/she is removed from the pending list and the thread of Fig. 5 is 
terminated. If User A remains linked in step S55, the watchdog timer is tested in step S60. If 
30 the timer has timed out, -control passes to step S65 and if not, control returns to step S 1 00. 

Referring to Fig. 6, when, in event S70, User A’s RFID de-links from an 
appliance in use by User’s B and C, in step S75, the appliance starts a watchdog timer. In 
step SI 05, if User A actively leaves the group, perhaps by clicking an icon on a television 
screen indicating current members of the group, User A is removed from the group in step 
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S90. Otherwise, in step S80 the link is tested to determine if User A has re-linked. If User A 
has re-linked, he/she remains in the current group and the thread of Fig. 6 is terminated. If 
User A remains unlinked in step S80, the watchdog timer is tested in step S85. If the timer 
has timed out, control passes to step S90 and if not, control returns to step SI 05. 

5 Alternatively, the devices could be required to be placed right near the 

appliance. In this scenario, each user would leave his token or device on top of or near the 
appliance while he/she expected to remain an active member of a group of users. This would 
have the advantage of preventing inadvertent addition of transient occupants of the room 
being added to the user group. Referring to Figs. 7 and 8, when a link is established, the user 
10 is in the group and when the link is broken, the user is removed from the group as indicated 
by events S120 and S130 and steps S125 and S135. 

For security, the token may provide data identifying the token as well as the 
relay location URL and the smart appliance may be required to transmit this identifier in 
order to be authorized to receive data from either the relay server 310 or the profile server 
15 305 or both. With this authorization requirement, if a user lost his/her RFID device, he/she 

could indicate the loss of the device to either the profile server administrator or the relay 
server administrator. Subsequent attempts to use the device could then be unauthorized. 

Referring to Fig. 9, in step S210, the appliance 340 transmits the token ID and 
authentication data (for example a PIN code prompted by the appliance 340). Note that the 
20 authentication data may be left out, since the token ID may serve as the authentication. Then, 
in step S215 the appliance 340 requests the relay URL. In step S217, the relay server 
determines whether the request is valid or invalid and if valid, in step S220, transmits back to 
the appliance 340, the location of the profile data. If invalid, the thread terminates. In step 
S225, the appliance requests profile data from the profile server 305. Finally, in step 230, the 
25 profile data is returned. 

Referring to Fig. 10, in step 240, the token transmits its ID and relay URL to 
the appliance 340. The appliance then transmits authentication data and the token ID to the 
relay server 310 at step S215. The relay server determines if the token is authorized at step 
S21 7 and if so, transmits the profile URL at step S220. If the token is not authorized, a 
30 rejection is transmitted and the thread is terminated. Then in steps S225 and S230, the profile 
data is transmitted to and received by, respectively, the appliance 340. 

An example of a relay URL is: 
http://123 . 1 23 . 1 23 . 123/tokens/<token ID> 
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Preferably this would link to a so-called dynamic web site that took in the 
token ID and ran an internal process that responded to it. In the above, the token ED and the 
URL are essentially the same, the former simply being passed to a server process as an 
argument within the rest of the URL. An example of a profile URL is: 

5 http://www.funpage.com/myhomepage/~joesmith/<password>/profile.dat. The latter URL 
contains a secret directory name which acts as a password so that it cannot be accessed idly. 
The data file could simply be downloaded by any appliance accessing it. Alternatively, the 
profile URL could point to a dynamic site that prompts an exchange. For example, such a 
site could request data identifying the type of appliance. A profile server process could use 
1 0 this information to transmit only the relevant data for the type of appliance. In addition, the 
user(s) may be prompted to enter a PIN number or some other authentication device to allow 
the profile to be used. The user may enter the authentication information on the appliance or 
via the RFID device itself. Thus, the tag could be provided with a small user interface 
allowing input and display of data. 

1 5 When a token is lost, the relay URL could simply be discontinued for all time 

or reused by coupling it to a new secondary authentication tag. 

As the constitution of a user group changes, the appliance may provide 
information about the combined profile so that the group can make adjustments or reconcile 
conflicts. The goodness of fit of available options to the groups preferences in combination 
20 can usually be determined, depending on the type of predictive engine being used. This topic 
is outside the scope of this patent, so it will not be discussed here. However, each 
combination of profiles would permit a unique set of options, each of whose combined value 
can be determined. Thus, a group of sports-lovers would achieve a higher total value in their 
most preferred set of choices than a group containing a mix of tastes. Referring to Fig. 11, 

25 when a group changes composition in step S400, the appliance 340 may recalculate the 
combined profile in step S405. In step S410, the value of the profile may be determined in 
step S410 and if greater than the value of the previous profile, in step S415, the appliance can 
present for selection the new set of options in step S420. 

Profiles will inevitably contain imperfect information and methods for 
30 reconciling them may always be limited to some extent. Thus, for example, the non-presence 
of sitcoms in one user’s profile could indicate indifference or antipathy. The mechanism for 
reconciling may be limited to simple logical operations such as union or intersection of sets 
of rules. Presenting feedback on the combined profile could allow the users to create a more 
intelligent reconciliation. Referring to Fig. 12, a user interface to support such an interactive 
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reconciliation may display all the categories of favored material from the various profiles and 
allow the user(s) to select from among them. For example, in Fig. 1 1, a user interface 
displays categories 510 from each user’s profile in a first area of a screen 500. In a second 
area 505, the interface displays selected categories 525 generated by combining group 
5 preferences. The group has selected one of the categories 520 to add to the group preferences 
as indicated by the arrow 515. 

Combining profiles need not be a constant homogenized solution space. It is 
possible for a single group, which is planning to watch TV for a period of, say two hours, to 
compromise in a time-dependent way that maximizes the value for all members. Suppose the 
10 combination of profiles suggests highly preferred programming for one member or subgroup 
during the first hour and highly valued programming for another member or subgroup during 
the second hour. If the appliance knew the time during which the group would use the 
appliance together, it could make use of that information to allow selections to be made that 
would segregate the high value selections in time. The result would be that one member 
1 5 would get to see his/her most preferred programming during a first interval while another 

would get to see his/her most preferred programming during a second interval. 

When a consumer buys an appliance, multiple RFID devices may be shipped 
with it. In a preferred embodiment, each of the RFID devices is shaped differently, like the 
pieces of a game, such as Monopoly®. That way, each member of a family can choose the 
20 piece that they identify with. 

Alternatively, a single device may be shipped with a new appliance and further 
devices purchased when and if required. If the devices are to be used with multiple types of 
appliances or even multiple appliances made by multiple manufacturers, there may be a 
communications protocol standard that all would adopt. Alternatively, different protocols 
25 may be used by different manufacturers and each appliance built to recognize and interact 
with the devices of other manufacturers. If multiple devices are shipped with a product, to 
prevent wasted resources in the relay server, a user is required to register his/her device. The 
user logs onto the relay server, authorizes him/herself as a valid user, and enters the profile 
URL. The user can always change or update this URL, but the resources required for each 
30 user is very small so that many users can be serviced with a very small storage space. Also, 

to minimize contact with the relay server, appliances can be programmed to persist the 
profile data or the URL data for a period of time before the data is expired. Preferably this 
data is never revealed unless via a secure interface, so storage on the appliance should not 
present a privacy problem. 
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The invention contemplates a private profile database. According to one 
feature of the invention, each appliance may contribute information to this database. The 
prior art contains various descriptions of systems that adapt to user preferences by observing 
user-interaction with the appliance. For example by observing a user’s programming choices 
5 over time, an EPG set top box can derive mles and use these to personalize the EPG in the 
future. This profile data may be uploaded by the appliance to the user’s personal profile 
server. Preferably, the data format would be standardized across multiple classes of 
appliances, but this is not essential. For example, the data could be XML-tagged and stored 
ad hoc, allowing various devices to make sense of it through the tagging. 

1 0 As described above, the invention provides, among other things, the ability to 

“move” profile or preference data among various appliances. It also provides the ability to 
associate the profile or preference data with a physical object rather than something that must 
be memorized, like a URL. It further provides a simple, fast, convenient mechanism for 
identifying a user without requiring data entry through a user interface. It still further 
15 provides the ability for an ad hoc group to be defined and indicated to an appliance and have 
multiple user profiles merged thereby. Still further, it provides the ability for a manufacturer 
to provide a key to the supporting service infrastructure without requiring the manufacturer to 
support the bulk of the necessary data. The latter feature has the advantage of permitting 
devices for making the user’s data more secure and private. 

20 According to another feature of the invention, a user interface allowing 

interaction with the profile server or an administrative server controlling data accessible via 
either or both, allows the user to correlate a particular subset of his/her profile data with a 
given RFID device. For example, the user may buy multiple RFID tokens. The user may 
wish to permit another person to have the user’s personal telephone list. The user can, 

25 through a user interface of an administrator process running either on the relay server, the 
profile server or another server, associate the token with only that particular subset of his/her 
profile data. The administrator user interface would allow the entry of the token ID (either 
automatically or by entering a code associated with the ID effective to identify it uniquely). 
The user interface would permit the association of various permissions with the particular 
30 token. After doing so the administration process would configure a gate-keeping process that 
insured that only the specified data could be obtained from the profile using that particular 
token. The gate-keeping process may run for example on the relay server which indicates to 
the profile server that only a specified subset of data is authorized. Alternatively, the gate- 
keeping function may be provided on the profile server. Among the options provided by the 
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administrative user interface could be a time-to-live parameter that makes a token unusable 
after a specified period of time. 

Although the invention is discussed above with regard to, principally, an RFID 
tag or device, it is noted that any kind of data delivery device could be used. For example, 

5 the appliance user interface may be used to enter the relay URL manually or the URL could 
be stored on a smart card, bar code, or other means for transmitting data. 

Note also that a feature of the invention is that the profile data on the profile 
server may include variegated preference data that includes data relating to various 
appliances and contexts. Thus the profile data may include software workstation 
10 environment preferences, telephone speed dial lists, PDA address and phone book entries, 
recipes, oven temperature settings, refrigerator settings, dishwasher washing modes, Internet 
site favorites, etc. These various data may be stored in a single corpus of preference data and 
accessed and administered by the same user interface. 

It will be evident to those skilled in the art that the invention is not limited to 
1 5 the details of the foregoing illustrative embodiments, and that the present invention may be 

embodied in other specific forms without departing from the spirit or essential attributes 
thereof. The present embodiments are therefore to be considered in all respects as illustrative 
and not restrictive, the scope of the invention being indicated by the appended claims rather 
than by the foregoing description, and all changes which come within the meaning and range 
20 of equivalency of the claims are therefore intended to be embraced therein. 
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1 . A radio transmission device, comprising: 

a memory (502) containing a relay uniform resource locator (URL), said relay 
URL indicating an address of a relay server programmed to transmit a profile URL indicating 
an address where a preference profile corresponding to said radio transmission device is 
5 stored; 

a transmitter (501) connected to said memory such as to permit transmission 
of said relay URL to an appliance (340). 

2. A device as in claim 1, wherein said memory contains a unique identifier of 
1 0 said radio transmission device for transmitting to said appliance. 

3 . A device as in claim 1 , wherein said transmitter and said memory are part of a 
transponder with no internal power source. 

15 4. A network server, comprising: 

a memory (640), a controller (610), and a network interface (620) effective to 
respond to relay addresses stored on various ID devices (100) and to receive an ID device 
identifier from one of said ID devices transmitted by an appliance (340); 

said controller being programmed to retrieve from said memory a profile 
20 address where a profile corresponding to said ID device identifier is stored; 

said controller being programmed to transmit said profile address to said 

appliance. 

5. An appliance, comprising: 

25 a controller (343) and a receiver (341) connected thereto and effective to 

receive an ID device identifier; 

a network interface (342) connectable to a relay server (305, 630) 
corresponding to said ID device; 
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said controller being programmed to transmit data responsive to said identifier 
to said relay server and receive a profile address in response from said relay server; 

said controller being further programmed to access profile data on said profile 

server. 

5 

6. A method of controlling the operation of an appliance, comprising the steps of: 
delivering first access data to an appliance, said access data providing network 

access to first configuration data; 

receiving at said appliance at least a portion of said first configuration data via 

10 said network; 

configuring said appliance responsively to said first configuration data; 
delivering second access data to said appliance, said second access data 
providing network access to second configuration data; 

receiving at said appliance at least a portion of said second configuration data; 
1 5 reconfiguring said appliance responsively to said second configuration data. 

7. A method as in claim 6, wherein said first and second steps of delivering each 
include delivering data from a portable device permanently storing said first and second 
access data, respectively. 

20 

8. A method as in claim 7, wherein said first receiving step includes receiving 
first relay data responsive to a network server identified in said first access data, receiving 
profile data made accessible via said network by said first relay data and said second 
receiving step includes receiving second relay data responsive to a network server identified 

25 in said second access data, and receiving profile data made accessible via said network by 
said second relay data. 

9. A method as in claim 6, wherein said first receiving step includes receiving 
first relay data responsive to a network server identified in said first access data, receiving 

30 profile data made accessible via said network by said first relay data and said second 

receiving step includes receiving second relay data responsive to a network server identified 
in said second access data, and receiving profile data made accessible via said network by 
said second relay data. 




WO 01/99410 



PCT/EP01/06887 



19 



5 



10. A method as in claim 6, wherein: 

said first and second steps of delivering include delivering data from a 
portable device permanently storing said first and second access data, respectively; 
said device is a radio frequency identification device. 

11. A method as in claim 10, wherein each of said first and second access data are 
permanently stored in respective first and second radio frequency identification devices. 



1 2. A method as in claim 1 1 , wherein said steps of delivering include co-locating 

10 a radio frequency identification device with said appliance. 



13. A method as in claim 6, wherein said first step of receiving includes receiving 

a portion of profile data including data relating to said appliance and data relating to another 
type of appliance. 
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FIG. 8 
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FIG. 9 
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FIG. 11 
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FIG. 12 





